Critical OpenClaw Vulnerability CVE-2026-25253 Actively Exploited — Patch Now

A critical severity vulnerability (CVSS 9.8) in OpenClaw Gateway is being actively exploited in the wild, the OpenClaw team confirmed. The flaw, designated CVE-2026-25253, affects all versions prior to v3.x and allows attackers to execute arbitrary code through the exposed management port 18789.

What You Need to Do

Check your version:

openclaw --version

Upgrade to the latest patched release:

npm install -g @openclaw/cli@latest

Verify patch status:

openclaw doctor --security

Background: The Quarter of Security Wake-Up

This patch comes as Q1 2026 has been dubbed the “security awakening quarter” for OpenClaw. A Bitdefender audit released this month found 135,000+ exposed OpenClaw instances and 30,000+ confirmed compromised. The ClawHavoc incident also saw 2,400+ malicious skills removed from ClawHub.

In response, the team has hardened Gateway defaults, added VirusTotal integration for all newly uploaded skills on ClawHub, and introduced new CLI commands for reporting suspicious skills.

If your version is older than the latest patched release — upgrade immediately.